Types of Scams
Scams
Scams are constant and ever evolving. The types of scams we see today aren’t necessarily the scams we have seen in the past and may not be what we see going forward. Scams have also become increasingly more sophisticated and harder to track as technology develops and affords scammers the ability to stay completely anonymous.
If you feel you may be falling victim to a scam, ask yourself the following questions:
- Does the opportunity sound too good to be true?
- Does this sound like a high-risk high reward opportunity?
- Is there urgency in completing a transaction?
- Do you feel uncomfortable completing what you were asked to do?
- Are you questioning any actions you have taken or have been asked to take?
- Have you been advised or directed by a 3rd party not known to you?
- Have you been advised not to be transparent with your financial institution or have been provided a cover story as your explanation?
- Has anyone requested remote access to your device?
- Has any requested passwords to your online banking, email, or other financial accounts?
- Has anyone asked you for your member identity code (MIC)?
- Have you opened any suspicious emails or clicked any suspicious links via email or text?
- Did you input your online banking credentials and/or other personal/financial information?
- Have you provided anyone with your one-time password (OTP) for online banking access?
If you have answered yes to any of these questions, we strongly recommend that you contact Vancity so we can ensure your account is protected and provide further advice.
You can learn more about Scam Prevention Tips on our Fraud Prevention page
Types of Scams
Business Email Compromise (BEC) scam
Investment scam
Employment scam
CRA/Emergency/Immigration/Bank Inspector scam
Romance scam
Phishing/Smishing scam
Vishing (voice phishing) scam
Remote Access scam
Online Shopping scam
Cheque Deposit Fraud scam
Business Email Compromise (BEC) Scam
Business Email Compromise (BEC) scams are a type of spear phishing attack using email communication in which fraudsters impersonate a known and trusted contact or colleague and attempt to trick their targeted victims into taking harmful actions. This can include attempts to gain system access, install malicious software, or most commonly - to complete fraudulent transactions, specifically wire transfers or sending funds via Pre-authorized Payment. By leveraging the already established relationship with the email sender and the victim (email recipient), fraudsters convince the targeted victim to send the funds under fraudulent instruction or compromise sensitive information such passwords and/or system access.
Red Flags:
- Look out for minor variations of email addresses and domain names
- For example, example.com becomes exampie.com
- Note legitimate email addresses can also be taken over and used for fraud purposes
- Wire transfer requests that contain changes or updates to wire beneficiary details (e.g. beneficiary name, bank account number, bank name/location, and currency).
- The sender is applying a sense of urgency to the transaction and is pressuring the employee to transact quickly
- Know the signs of social engineering, such as creating a sense of urgency or fear, or creating an expediated timeline for completion
- The request is often marked as “highly confidential” in order to maintain secrecy
- The requested transactions are inconsistent and/or out of the ordinary for normal course of business
- The email contains variations in tone, phrasing, terminology, writing style, and language that is different from past email correspondence with the same individual.
- The request contains spelling mistakes or grammatical errors
- The transaction request is occurring prior to a long weekend or holiday in hopes that the fraud will go undetected for a longer period
- The sender of the email indicates they can only be reached via email or by a new or unfamiliar phone number
- Always verbally verify the request with sender using a known phone number.
- Always think before you click when it comes to suspicious links or attachments.
Because this is a very common high-risk scam, we have provided examples of variations of the BEC scam below:
Example #1
John is the executive assistant to Mary, the CEO. John is aware that Mary is on vacation and may have limited access to email but can be reached by phone in an emergency. John receives an unexpected email from Mary from her existing email address with an urgent request to update a system password for the program that is used by senior leaders to manage payroll information. The email has several spelling mistakes and contains a hyperlink that the email indicates will allow Mary to remotely access the payroll system from her hotel room. As John was not expecting this email, and with the knowledge that other senior leaders could access the system internally without any remote access or password updates, John is skeptical and calls Mary at her emergency telephone number.
Red Flags:
- John receives an unexpected email from Mary while on vacation
- Email requested remote access which is out of the norm and considered suspicious
- Email has spelling mistakes
- Email creates a sense of urgency
Outcome:
Mary confirms that she has not sent this request. Mary indicates that she had recently used unsecure hotel WIFI, and afterwards received numerous unsolicited spam emails. Mary subsequently discovers that her legitimate email address had been compromised and several emails had been sent from that address without her knowledge. John and Mary decide to remove Mary as an authorized user of the payroll system until they return from vacation and has her devices scanned and cleaned.
Example #2
Daphne is the CEO of a Non-Profit Organization (NPO) and works with James, the comptroller of the NPO to coordinate bi-monthly wire transfers to a known social assistance program for grants to that program. All correspondence and wire remittance receipts are sent via email between James and the coordinator of the social assistance program, Eric. During an off-month period, James receives an email from Eric with a request to update beneficiary bank information to a different recipient bank for future wires, as well as with a request to triple the amount normally sent as part of the grant program during this off-period. The email also requests this, and future wires are sent in US Dollars, whereas all previous wires were sent in Canadian Dollars. James advises CEO Daphne, who approves the update request but asks James to re-confirm the changes, as US Dollar wires have increased processing costs. James confirms the changes with Eric using the existing email thread. Eric confirms the changes, and the wire is sent processed. One month later, the normal bi-monthly wire is sent, and James receives a subsequent email from Eric indicating that the program has not received the expected bi-monthly funds. James confirms that funds were sent using the updated bank recipient information that Eric had provided the month before. Eric then confirms that the program has not changed their banking information and did not send any emails requesting the information to be updated or additional wires to be sent.
Red Flags:
- Request was verified using the same email chain, without a verbal confirmation being completed
- Email is sent outside the normal bi-monthly contact cycle
- Email requests an update to banking information to a new and unfamiliar bank
- Email requests a significant increase in funds sent during an off-cycle
- Email requests a change in currency which is uncharacteristic for the account.
- Email uses a variation in spelling of the contact name (Eric vs. Erik)
Outcome:
James reviews the email thread and discovers that the email with the update request was sent using an email with a variation in spelling – Eric@example.com was changed to Erik@example.com in the email address and the change was not noticed. Daphne notifies their financial institution of the scam and reports the incident to police. Every effort is made to recall the wires on behalf of the NPO, but those efforts were unsuccessful.
Investment Scam
Individuals may come across an exciting investment opportunity via email, social media (Facebook or Instagram), or through word of mouth offering low-risk, high rate of return investments. Individuals may also receive unsolicited phone calls or emails with general advice on investing.
Red Flags:
- You may be requested to complete a high-value outgoing wire, obtain a certified-funds cheque, or send E-transfers to crypto/investment companies
- You may be advised to withdraw from other investment portfolios to facilitate the new investment
- Investment opportunity may be time sensitive to secure guaranteed rate
- The sense of excitement from the investment opportunity may cause you to overlook the that the investment may be too good to be true
- You have been coached to provide a cover story to your financial institution to mask the true purpose of the movement of funds. This may include home renovations, emergencies, or gifts to family members
- The investment company uses complex terminology making difficult for you to understand and explain the investment or how the investment is yielding a high rate of return
- The fee structure and withdrawal options are unclear or extremely complex
- Company or investment advisor is not registered with the Canadian Securities Administration or has little to no online presence
- All communication is done virtually via SKYPE or email
- Negative reviews with the Better Business Bureau or online
Employment Scams
Scammers will create a fake online job opportunity often through online recruitment sites that promise high income salaries with minimal effort required. Typically, opportunities are work from home and the victim never sees the actual employer in person.
Red Flags:
- These opportunities will seem expedited by offering you the position with no interview process or pre-screening
- Scammers often steal logos, images or content from legitimate business websites to make the opportunity appear genuine.
- The fake employer may ask you for personal banking information that is usually not asked for when accepting an employment opportunity. (ex. credit card number or online banking credentials/passwords)
- Your employer does NOT need this information from you
- The job posting may not have detailed information on who to contact and most of the communication will be done via email or Skype
- These employers often pay in advance using cheque images sent via email and are often followed by a request to send the majority of funds back through E-transfer for the purchase of goods or equipment associated with the role, while allowing the employee to keep a portion as a payroll advance on employment that has not yet started
- The cheques are almost always counterfeit and will charge back leaving an overdraft on the account
CRA / Immigration / Emergency / Bank Inspector Scams
A scammer will call and claim to be an employee of a government agency, such as Canada Revenue Agency (CRA) / Service Canada, police, judges or emergency personnel such as paramedics and will request personal and financial information to facilitate ID Theft or secure funds. The caller may falsely claim that you have taxes or outstanding balances owing, may be facing arrest and/or jail time, or that a loved one has been in an accident and/or has been incarcerated and needs funds to be sent via wire or E-transfer, or cash to be sent via mail, to facilitate bail and costs of recovery.
Red Flags:
- Callers usually state that you have a compromised SIN number, or an outstanding case against you, and will use aggressive language to indicate tax owing, unpaid balances or claim you have committed a financial crime.
- Callers may also state that a loved one has been arrested and/or critically injured and needs immediate access to funds to pay legal costs, bail, or hospital fees
- These calls are known to be threatening and urgent. They claim that you OR your loved one will be (or may already be) arrested, fined or deported if you do not comply.
- You are usually asked to pay the fine or required funds in gift cards or bitcoin, via wire transfer, or they may ask you to send physical cash through the mail
- It is also common for scammers to send “police” to your home to pick up cash or cheques
- If you comply, the calls typically continue and escalate, and more reasons for sending additional funds will usually occur
- CRA does not allow tax refunds via e-transfer and the amount indicated is often incorrect or unexpected. The phishing site you are then redirected to asks for information that CRA should already have on file.
Romance Scams
Scammers create a fictional online personality to attract individuals that are looking for relationships via legitimate dating websites, social media platforms, and unsolicited text messages. Once a relationship is established financial assistance is usually requested to assist with hardship or to facilitate relocation to be together.
Red Flags:
- Scammers often prey on the emotions of those looking to be in a relationship; those who have recently suffered a loss of a loved one can be considered particularly vulnerable
- Scammers often use photos copied directly from online sources to trick the victim into believing they are speaking to that person
- An online relationship often develops quickly without meeting in person
- Requests for financial assistance usually start off slow and with smaller amounts but often escalate in frequency and dollar value
- After the first initial funds are sent, the scammer often creates more scenarios or delays that require further financial assistance and postpone meeting in person
- Scammers will often request the relationship is kept secret and not shared with family or friends
- Scammers may also request personal information to be used for identity theft at a later date
Phishing and Smishing Scams
Phishing refers to receiving unsolicited emails claiming to be from legitimate organizations you may be familiar with that request personal and financial information which is then used to commit fraud or facilitate ID Theft. Much like phishing, smishing refers to receiving the same unsolicited messages via text message. Phishing and smishing messages often contain harmful links that will redirect the recipient to a website which appears to be legitimate but is used to collect personal/financial information and passwords.
Red Flags:
- These messages often appear legitimate and may contain logos or other images of the organization they are attempting to impersonate
- Websites that you are directed to often look legitimate and mimic the actual organization’s website, but they have been set up to collect personal and financial information to be used for fraud at a later date
- Website URLs will NOT match the legitimate organization’s website
- The recipient may not be expecting to receive email or text communication from the organization
- The email or text message suggests a sense of urgency in taking action to protect your account or information
- Messaging may contain poor grammar or spelling mistakes unbecoming of a professional organization
- The notification may indicate a pending reimbursement or refunds that you are not anticipating
- Messaging may indicate clicking a link to block or unblock an account due to unauthorized logins
Vishing (Voice Phishing)
Much like phishing or smishing, vishing (voice phishing) refers to unsolicited phone calls from scammers purporting to be legitimate organizations requesting personal or financial information. Quite often, vishing scams involve confirmations of fraud that have not occurred in order to gain access to personal or financial information to conduct fraud.
Red Flags:
- A familiar organization reaches out with an urgent matter that requires you to disclose significant amounts of personal or financial information
- Quite often verification of fraud transactions that have not actually occurred are used to create a sense of urgency and as a cover to request personal or financial information or access to online accounts
- Multi-factor authentication one-time passwords are often requested to “verify” access or transactions
- Call display numbers and contact information can easily be manipulated to make it appear a familiar organization is attempting to contact you. Do not use call display as a “source of truth”.
- Caller may indicate the purpose of the call is regarding pending refunds or reimbursement that requires immediate action
Remote Access Scams
Remote access scams involve allowing a third-party access to your device (desktop computer, tablet, smart phone) often to facilitate a solution for a technical issue such as virus removal from that device or to process a refund directly to your bank account. Often scammers will notify via pop-up message or cold call purporting to be financial institutions, Microsoft, Amazon, or Paypal and request access to online accounts or sensitive personal information. Once access is granted, scammers often complete fraudulent transactions by disguising them as refunds or requirements to pay for services.
Red Flags:
- Pop-up messages containing phone numbers or cold calls from tech specialists requesting access to devices
- Legitimate anti-virus companies do not notify of issues via pop-up and don’t put their contact phone numbers within those messages
- Pop-up messages that indicate virus present on a device but are not found in an actual virus scan
- Tech support specialists from companies never cold call people requesting remote access to their devices
- Requests to download remote desktop software that provides remote access to the device.
- Examples include AnyDesk, TeamViewer Remote, RemotePC, GoToMyPC, Apple Remote, and BeyondTrust Remote Support
- Be wary if companies such as Amazon or Paypal request access to your bank accounts to process a refund directly. Refunds or reimbursements typically take 3-5 business to process and are normally processed using the same method as original payment
- Use caution if you are directed to login to your online accounts directly while remote access is active
- Turn off your device if you see your mouse cursor moving or other activity occurring that you are not aware of
Online Shopping Scam
Scammers are able to create accounts on legitimate auction websites (such as eBay, Facebook Marketplace, Craigslist or Kijiji) and advertise products at a lower price than you would normally see. These enticing deals may convince you to purchase, however you will either not receive the product that was mentioned, or you will receive a lower quality version of a similar product. Sellers may also stop communication once funds are received and delete all advertisements or notifications for that product. Concert tickets, puppies, and rental properties are often linked to scams.
Red Flags:
- Fraudsters can also lure you in with ‘Sponsored’ posts on social media websites that seem genuine, but when followed lead to poor quality websites.
- You have not seen the goods being purchased in person
- Urgency in sending funds in order to secure goods
- Goods sold at drastically reduced or very low prices (too good to be true)
- A sudden increase in agreed selling price or demand for additional payment
Cheque Deposit Fraud Scam
This type of scam is often connected to various other scam types including employment scams, online shopping scams, Facebook Marketplace scams, lottery scams, and inheritance scams. Typically, someone sends you a cheque, asks you to deposit the money in your account and then asks you to forward most of the funds by wire transfer, e-Transfer, or money order elsewhere. Most of the time the cheques are an overpayment - the amount of the cheque is more than what was expected. Cheque Deposit fraud is one of the riskiest types of fraud for members, as you will be held liable for any overdraft that occurs as the result of a dishonored cheque.
Red Flags:
- The scammer will often send an image of the cheque instead of a physical cheque
- You are asked to deposit the cheque and send a portion of the cheque proceeds to another party - often someone not associated with original transaction
- Your “portion” is often referred to as the payment or funds earned and the remaining funds used to cover shipping fees, duty, movers, storage, or income earned.
- The face of the cheque may look suspicious and reflect multiple fonts, alterations, spelling mistakes, payable from an unrelated party, or is drawn on an out-of-province company and/or financial institution
- The payor of the cheque has no obvious connection to the transaction – for example, an insurance company would likely NOT be connected to the private sale of a fridge from Facebook Marketplace
- The scammer will create a sense of urgency to deposit the cheque and move funds right away before the clearing process has completed
- Just because a cheque has been deposited, does not mean the funds are guaranteed and may be dishonored at a later date